Privacy Policy
Effective: June 11, 2026Last updated: June 11, 2026
Stack Stitch (the "Service") is operated by StackStitch ("we", "us") — currently its founding team, based in Colombia; a legal entity is being formed and this policy will be updated to name it once incorporated. This policy is governed by the laws of Colombia (Ley 1581 de 2012 — Habeas Data). Responsible party: StackStitch — hello@stackstitch.dev. The legal entity and responsible-party details will be updated once incorporated and reviewed by counsel.
1. Summary (plain language)
Stack Stitch is a desktop app + backend that connects to the tools developers use (Slack, GitHub, Jira/Linear, and — when you enable it — your calls), and proactively surfaces things you might miss, with the original sources attached. To do that, we process the content you connect, store a copy on our hosted infrastructure, and send relevant content to AI providers to generate suggestions. We do not sell your data. You stay in control: you choose what to connect, and you can disconnect or delete your data. Call recording is off by default and is your responsibility to use lawfully (see §7).
2. Information we collect
a. Account & identity. When you sign in (via Google / Firebase Authentication) we receive your email, name, and an authentication token. We store a user record and authentication state.
b. Data from connected sources (with your authorization). When you connect a source via OAuth, we access and ingest the data you authorize, which may include: Slack — messages, threads, channels, and metadata from authorized workspaces; GitHub — pull requests, issues, and related metadata; Jira / Linear (if connected) — issues and metadata. This data may include information about third parties (e.g. your coworkers who posted in a channel or authored a PR). See §8.
c. Calls & audio (only when you enable call capture). If you enable the calls feature, we capture call audio (input/output), generate transcripts, and apply speaker diarization (labels). This is off by default and applies only to calls you choose to capture. See §7 on recording consent.
d. Content & derived data. From the above we create and store: source "artifacts", proactive notifications (the central object of the product), the correlated context behind each notification, discussion threads, and vector embeddings used for retrieval.
e. Billing data. Payments are processed by our Merchant of Record, Polar (which uses Stripe). We do not receive or store your full card details. We store your subscription status and provider identifiers (e.g. customer/subscription IDs, invoice metadata).
f. Usage, device & diagnostics. Product analytics and telemetry (via Google Analytics / Measurement Protocol), error logs, and basic device/app information, to operate and improve the Service.
3. How we use your information
- To provide the Service: ingest connected content, generate proactive notifications grounded in their sources, power search/retrieval, and run discussions.
- To authenticate you and keep your account secure.
- To process billing (via Polar) and manage trials/subscriptions.
- To maintain, debug and improve reliability and quality.
- To communicate with you about the Service.
We process your data to provide the Service you requested and on the basis of your consent (which you give by connecting sources / enabling features) and our legitimate interest in operating the product. We do not sell your personal data. We do not use your connected content or transcripts to train our own models, and — where the AI provider offers the option — we configure them not to train their models on your content (see §4–§5); we send only what is necessary to generate your results. We may use aggregated and de-identified data to operate, secure and improve the Service.
4. AI processing
A core part of the Service sends your content (e.g. messages, code/PR text, call transcripts, and excerpts) to AI model and embedding providers so they can generate notifications, summaries, and search results. Today these providers include Anthropic (Claude) and/or OpenRouter for chat, and local or OpenRouter embeddings (configurable). These providers process the content under their own terms; we send the minimum necessary to produce your results. AI output may be inaccurate or incomplete — see the Terms.
5. Sub-processors
We rely on the following third parties to operate the Service. Each processes data only to provide its function:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Google Firebase | Authentication / identity | Email, name, auth tokens |
| Anthropic | AI chat / generation | Connected content excerpts sent for processing |
| OpenRouter | AI chat / embeddings (per config) | Connected content excerpts |
| OpenAI | Call transcription (cloud transcription mode — default today) | Call audio + transcript |
| Cloud diarization provider (e.g. Modal), when enabled | Speaker diarization | Call audio |
| Polar (Merchant of Record) + Stripe | Payments, invoices, tax | Billing/payment data (handled by them) |
| MongoDB Atlas | Primary data store (hosted) | Account + connected/derived content |
| Qdrant (managed) | Vector index for retrieval | Embeddings derived from content |
| DigitalOcean | Backend hosting | All processed data in transit/at rest |
| Google Analytics (GA4) | Product analytics | Usage/telemetry |
For the current early-access release, call transcription runs through a cloud provider (OpenAI), and speaker diarization may use a cloud provider. In this mode, your call audio and/or transcripts are sent to those providers solely to produce your transcript. A self-hosted/local mode also exists in the software and may be offered later. We will provide notice of material changes to this list.
6. Where your data is processed / international transfers
The Service runs on hosted infrastructure and uses providers located outside Colombia — including the United States and the European Union (our AI providers, database/vector hosting, the application host, and analytics; see §5). This involves an international transfer/transmission of data under Ley 1581. By using the Service you authorize this transfer so we can provide the Service.
7. Call recording & consent (read this carefully)
Call capture is disabled by default. If you enable it, you are responsible for complying with all applicable recording, wiretapping and privacy laws, which in many jurisdictions require the consent of all participants before recording. You are responsible for informing participants and obtaining any required consent. Before capturing a call, the app will require you to confirm that you have consent from all participants (an explicit in-app acknowledgment). Stack Stitch provides the tool; you control when and whether to record. Call audio, transcripts and speaker labels may contain sensitive personal data; we process them only to provide the Service to you, and you may delete them.
8. Third-party data & your authority
When you connect a source or capture a call, the data may include information about other people. By connecting sources and enabling features, you represent that you have the authority and right to do so (including any authorization from your employer/organization) and to allow us to process that data on your behalf.
Our role differs by data category: for connected-workspace content (Slack/GitHub/Jira data and call content you bring in), you (or your organization) are the data controller and we act as a data processor on your instructions. For account, billing, analytics, security, support, and our own product decisions, we act as the data controller and process under this policy.
9. Data retention
| Data | Retention |
|---|---|
| Account + connected/derived content (artifacts, notifications, transcripts, embeddings) | While your account is active |
| After source disconnect or account deletion | Primary data deleted or de-identified within 30 days |
| Raw call audio | Deleted after transcription/diarization; if a buffer is needed, max 7 days |
| Backups | Rolling purge within 90 days |
| Operational logs | 30 days |
| Security / audit logs | 90 days |
| Minimal billing records | While account active + as required by law (Polar retains payment/tax records) |
10. Security
We apply technical and organizational measures appropriate to the data, including: encryption in transit (TLS); encryption at rest for sensitive credentials (connector OAuth tokens and any user-provided keys are stored encrypted); least-privilege access; and tenant isolation (each user's data is scoped to their account). No system is perfectly secure; we cannot guarantee absolute security.
11. Your rights (Habeas Data / data subject rights)
Under Colombian Ley 1581 de 2012 (and comparable rights for users elsewhere), you may: access, know, update and rectify your data; request deletion or that we refrain from using it; withdraw the consent you gave; obtain proof of the consent granted; and be informed of how your data is used.
How to exercise them:
- Channel: send your request to hello@stackstitch.dev identifying yourself; we may ask for reasonable proof of identity (and, for organization data, of authorization).
- Information requests (consultas): answered within 10 business days, extendable by up to 5 more with notice.
- Complaints (reclamos) — to correct, update, delete, or for alleged breaches: handled within 15 business days, extendable by up to 8 more with notice.
- Proof of authorization: we keep evidence of the consent/authorization you provided, as the law requires.
- Escalation: if unresolved, you may file a claim with the Superintendencia de Industria y Comercio (SIC), Colombia's data-protection authority, after exhausting the process with us.
You can also disconnect sources or delete your account at any time from the app.
12. Children
The Service is not directed to anyone under 18, and we do not knowingly collect their data.
13. Changes to this policy
We may update this policy; material changes will be notified via the app or stackstitch.dev, and the "Last updated" date will change.
14. Contact
Questions or requests: hello@stackstitch.dev · StackStitch (founding team, Colombia; legal entity pending).